Insurance Software Provider Exposed Clients’ Data Stored on S3 Bucket

An insurance software provider exposed clients’ sensitive data that it had stored on an Amazon Simple Storage Solution (S3) bucket.

Andrew Lech, founder of AgentRun, confirmed the breach in an email sent out to the insurance agency management software company’s clients. As quoted by ZDNet:

We were migrating to this bucket during an application upgrade and during the migration the permissions on the bucket were erroneously flipped.

At the time of discovery, the S3 bucket in question lacked password protection and was accessible to anyone. A bad actor could have therefore examined its contents, which included medical information, financial details and insurance policy documents. Many of those items contained people’s personally identifiable information (PII) including their names, addresses, dates of birth, phone numbers, Social Security Numbers, Medicare cards and even their bank checks in a few instances.

To prevent a S3 storage breach, many organizations now realize the importance of evaluating the configuration settings for their S3 buckets and other cloud-based storage assets. Some methods aren’t as effective as others. Manual evaluation processes, for example, often require lots of time and resources, and they can still miss crucial gaps.

Organizations shouldn’t leave anything up to chance when it comes to their S3 buckets. Instead they should look into a solution like Tripwire’s Cloud Management Assessor that automatically checks to see if any S3 storage files are exposed.